How should an API use http basic authentication
Posted
by
user1626384
on Programmers
See other posts from Programmers
or by user1626384
Published on 2012-09-12T10:22:32Z
Indexed on
2012/09/12
15:49 UTC
Read the original article
Hit count: 305
When an API requires that a client authenticates to it, i've seen two different scenarios used and I am wondering which case I should use for my situation.
Example 1. An API is offered by a company to allow third parties to authenticate with a token and secret using HTTP Basic.
Example 2. An API accepts a username and password via HTTP Basic to authenticate an end user. Generally they get a token back for future requests.
My Setup: I will have an JSON API that I use as my backend for a mobile and web app. It seems like good practice for both the mobile and web app to send along a token and secret so only these two apps can access the API blocking any other third party.
But the mobile and web app allow users to login and submit posts, view their data, etc. So I would want them to login via HTTP Basic as well on each request.
Do I somehow use a combination of both these methods or only send the end user credentials (username and token) on each request? If I only send the end user credentials, do I store them in a cookie on the client?
© Programmers or respective owner